Peer-to-peer (P2P) communication, and in fact all types of communication, depend on the possibility of establishing valid connections between selected entities. However, entities may have one or several addresses that may vary because the entities move in the network, because the topology changes, or because an address lease cannot be renewed. A classic architectural solution to this addressing problem is thus to assign to each entity a stable name, and to “resolve” this name to a current address when a connection is needed. This name to address translation must be very robust, and it must also allow for easy and fast updates.
To increase the likelihood that an entity's address may be found by those seeking to connect to it, many peer-to-peer protocols, including the Peer Name Resolution Protocol (PNRP), allow entities to publish their address through various mechanisms. Some protocols also allow a client to acquire knowledge of other entities' addresses through the processing of requests from others in the network. Indeed, it is this acquisition of address knowledge that enables successful operation of peer-to-peer networks. That is, the better the information about other peers in the network, the greater the likelihood that a search for a particular resource will converge.
However, without a robust security infrastructure underlying the peer-to-peer protocol, malicious entities can easily disrupt the ability for such peer-to-peer systems to converge. Such disruptions may be caused, for example, by an entity that engages in identity theft. In such an identity theft attack on the peer-to-peer network, a malicious node publishes address information for identifications (IDs) with which it does not have an authorized relationship, i.e. it is neither the owner nor a group member, etc. A malicious entity could also intercept and/or respond first before the good node responds, thus appearing to be the good node.
Commonly, P2P network attacks may attempt to disrupt or exhaust node or network resources. In PNRP, a malicious entity could also obstruct PNRP resolution by flooding the network with bad information so that other entities in the network would tend to forward requests to nonexistent nodes (which would adversely affect the convergence of searches), or to nodes controlled by the attacker. PNRP's name resolution ability could also be degraded by modifying the RESOLVE packet used to discover resources before forwarding it to a next node, or by sending an invalid RESPONSE to back to the requester that generated the RESOLVE packet. A malicious entity could also attempt to disrupt the operation of the peer-to-peer network by trying to ensure that searches will not converge by, for example, instead of forwarding the search to a node in its cache that is closer to the ID to aid in the search convergence, forwarding the search to a node that is further away from the requested ID. Alternatively, the malicious entity could simply not respond to the search request at all. The PNRP resolution could be further hampered by a malicious node sending an invalid BYE message on behalf of a valid ID. As a result, other nodes in the cloud will remove this valid ID from their cache, decreasing the number of valid nodes stored therein.
While simply validating address certificates may prevent the identity theft problem, such is ineffective against an attack that impedes PNRP resolution. An attacker can continue to generate verifiable address certificates (or have them pre-generated) and flood the corresponding IDs in the peer-to-peer cloud. If any of the nodes attempts to verify ownership of the ID, the attacker would be able to verify that it is the owner for the flooded IDs because, in fact, it is. However, if the attacker manages to generate enough IDs it can bring most of the peer-to-peer searches to one of the nodes it controls. Once a malicious node brings the search to controlled node, the attacker fairly controls and directs the operation of the network.
A malicious node may also attempt a denial of service (DoS) attack. When a P2P node changes, it may publish its new information to other network nodes. If all the nodes that learn about the new node records try to perform an ID ownership check, a storm of network activity against the advertised ID owner will occur. Exploiting this weakness, an attacker could mount an internet protocol (IP) DoS attack against a certain target by making that target very popular. For example, if a malicious entity advertises an Internet Website IP address as the updated node's ID IP, all the nodes in the peer-to-peer network that receive this advertised IP will try to connect to that IP to verify the authenticity of the record. Of course, the Website's server will not be able to verify ownership of the ID because the attacker generated this information. However, the damage has already been done. That is, the attacker convinced a good part of the peer-to-peer community to flood the IP address with validation requests and may have effectively shut it down.
Another type of DoS attack that overwhelms a node or a cloud by exhausting one or more resources occurs when a malicious node sends a large volume of invalid/valid peer address certificates (PACs) to a single node (e.g. by using FLOOD/RESOLVE/SOLICIT packets). The node that receives these PACs will consume all its CPU trying to verify all of the PACs. Similarly, by sending invalid FLOOD/RESOLVE packets, a malicious node will achieve packet multiplication within the cloud. That is, the malicious node can consume network bandwidth for a PNRP cloud using a small number of such packets because the node to which these packets are sent will respond by sending additional packets. Network bandwidth multiplication can also be achieved by a malicious node by sending bogus REQUEST messages to which good nodes will respond by FLOODing the PACs, which are of a larger size than the REQUEST.
A malicious node can also perpetrate an attack in the PNRP cloud by obstructing the initial node synch up. That is, to join the PNRP cloud a node tries to connect to one of the nodes already present in the PNRP cloud. If the node tries to connect to the malicious node, it can be completely controlled by that malicious node. Further, a malicious node can send invalid REQUEST packets when two good nodes are involved in the synchronization process. This is a type of DoS attack that will hamper the synch up. Because the invalid REQUEST packets generate FLOOD messages in response, initial node synch up may be hindered.
There exists a need in the art, therefore, for security mechanisms that will ensure the integrity of the P2P cloud by preventing or mitigating the effect of such attacks.